As a general rule the three techniques I describe could/should apply anywhere (not just Bluemix applications) - the key question is whether the target endpoint you are interested in is capable of supporting the necessary behaviour in its endpoints.

So in the case of your example of applications running in containers the "option 1" scenario depends on whether the container (or the ingress mechanism that routes to the container) is capable of supporting TLS mutual authentication - it is common for one-way (server side) certificates to be supported but the mutual TLS scenario is more advanced so may not always be supported by your container infrastructure.

Options 2 and 3 are generally straightforward to achieve even if your application is running in a container because they are changes that are made to the application logic itself, unrelated to the infrastructure in which the app is deployed.